What you need to know
- 17 apps have been removed from the App Store.
- The iPhone apps were found to contain malware.
- The apps covered a wide range of categories.
Apple has confirmed that it has removed as many as 17 apps from the App Store after it was found that they contained malware. Those apps all went through the App Store review process with no issues identified at the time.
The clicker trojan module discovered in this group of applications is designed to carry out ad fraud-related tasks in the background, such as continuously opening web pages or clicking links without any user interaction.
The objective of most clicker trojans is to generate revenue for the attacker on a pay-per-click basis by inflating website traffic. They can also be used to drain the budget of a competitor by artificially inflating the balance owed to the ad network.
Even though no data or financial theft took place, users would have been impacted by the trojan. People with these apps installed might have noticed their iPhone battery draining more quickly than usual. Or it might simply have performed more slowly than expected.
Worryingly, Wandera says that the apps didn't contain the maliscious code but rather received it via a request to a web server. That means there was no way for Apple's App Store review process to spot the malware until the apps were already available. That, in theory, means this could happen again.
The apps communicate with a known command and control (C&C) server to simulate user interactions in order to fraudulently collect ad revenue...
Command & Control enables bad apps to bypass security checks because it activates a communication channel directly with the attacker that is not within Apple's view. C&C channels can be used to distribute ads (like the ones used by the iOS Clicker Trojan), commands, and even payloads (such as a corrupt image file, a document or more). Simply put, C&C infrastructure is a 'backdoor' into the app which can lead to exploitation if and when a vulnerability is discovered or when the attacker chooses to activate additional code that may be hidden in the original app.
All of the affected apps were from AppAspect Technologies. Those apps were:
- RTO Vehicle Information
- EMI Calculator & Loan Planner
- File Manager – Documents
- Smart GPS Speedometer
- CrickOne – Live Cricket Scores
- Daily Fitness – Yoga Poses
- FM Radio – Internet Radio
- My Train Info – IRCTC & PNR (not listed under developer profile)
- Around Me Place Finder
- Easy Contacts Backup Manager
- Ramadan Times 2019
- Restaurant Finder – Find Food
- BMI Calculator – BMR Calc
- Dual Accounts
- Video Editor – Mute Video
- Islamic World – Qibla
- Smart Video Compressor
If you have any of those installed we'd suggest removing them ASAP.